Author
Topic: Norton detected SAP component (Read 3468 times)

Hi, NIS 2014 detected and automatically removed SAP's file.Here's screenshot.As it seems to be temp file, I'm not sure whether reporting it to Symantec makes sense. Even after report, probably same thing will happen.Oh, sure, just now I got another warning and NIS automatically deleted similar [EDIT: I found it's actually the same file. Myabe SAP downloaded/created it again] file again. Can you do sth about this?

Even worse, now I tried to download SecureAPlus installer but Norton detected and blocked it.Why don't you bother to register Symantec's whitelisting program which I've been suggesting several times? It may cost for you but otherwise you may loose potential customer who uses Norton.

Hendy, Norton still keep detecting SAP's temp file but this is their answer (relevant part only).

Quote

Upon further analysis and investigation we have verified your submissions and as such this detection of the SecureAPlus installer will be removed from our products.

But, for the provided tmp file, it's the definition file of SecureAPlus which contains plaintext malicious characters. The vendor SecureAPlus should encrypt theirs definition file to avoid False Positive. We recommend you to contact this vendor to fix this issue.

As a temporary solution, you can add the tmp file to exclusion to avoid detection.

As they suggested, pls consider to encrypt def files to prevent FPs.Cheers!

Thank you very much for your help to report the false positive of SecureAPlus installer to Norton.When you reported, we were trying to reproduce it, but we can't, so we are not able to report it to Norton. We are using English version of Norton. I'm not sure whether there is any different.

At the beginning when you reported about the tmp file we don't have idea what happened. After a while, we realized that it may be because when we want to do real time scanning of a file, we make a copy of it as a temp file. At that time it was in plain. In the latest release of SecureAPlus, version 3.3.2, we have encrypted this file. I'm sorry that I haven't updated you about this.

There is still one problem though. The solution that I mentioned above will work if you only use Universal AV to do real-time scanning. When you use ClamAV, it will also create that kind of temporary, which the copy of the file that it scanned, and the content is in plain. So when it is scanning a virus, Norton may also detect that the temp file created by ClamAV is a virus (because it is the plain copy of the file).

The difference might be due to heuristic setting in Norton. I use aggressive heuristics, and when I reported FP to Symantec I also added a note about aggressive setting cuz in a past FP incident they couldn't reproduce it until I reported heuristic setting made a difference.Now we can't cinfirm this as it is already fixed but if next FP happen, pls remind it. Maybe it's good news as most ppl remain in default setting and won't see FP.

Thanks, happy to hear you now encrypt def files except local AV. As to local AV, ofc I can set exclusion for the folder. But is it hard to encrypt its temp files too? I know ClamAV is open source 3rd party component, but as it is GPL license you can modify/alter it as long as you keep modified version in GPL license as well.